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[57] ABSTRACT 

Commercial transactions conducted over a telecommu- 
nications link are verified using a transaction key avail- 
able at both ends of the link. The transaction key is 
produced by combining (1) data supplied to the retailer 
by a customer and stored by the bank with (2) data 
stored by the retailer. The telecommunications link 
includes a node which passes the retailer's data to the 
bank in the form of a label obtained by encrypting the 
retailer's code with a client code. The bank retrieves the 
bank code and decrypts the label to obtain the retailer's 
code. The bank also retrieves the customer's data and 
combines the two elements to obtain the same transac- 
tion key that was created at the retailer's terminal. 

14 Claims, 4 Drawing Figures 
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GENERATION OF IDENTIFICATION KEYS 

This invention relates to the generation of identifica- 
tion keys and especially identification keys for use in the 5 
automatic transfer of funds by telecommunication net- 
works. 

This application is related to my copending applicatin 
Ser. No. 581,897 filed concurrently herewith. 
The transfer of funds involves three parties, namely, 10 

(1) the customer 

(2) the retailer 

(3) the customers bank 
and verifying the identities of the parties is important, 
e.g. to prevent frauds or other criminal activities. Sys- 15 
tems of this nature utilize identification keys which must 
be kept secret Two such keys are needed, Le. 

(a) a key known only to the customer and the bank 

(b) a key known only to the retailer and the custom- 
er's bank. 20 

A large system might include 100 banks and 100,000 
retailers. Any one of the retailers must be able to deal 
with any one of the banks so that the number of possible 
pairings is the product of 100 and 100,000; i.e. 10 7 . 
Therefore, the system would need 10 7 different secret 25 
keys each of which is present at two locations, i.e. a 
bank and a retailer. Thus there would be 100,000 retail- 
ers each with 100 keys and 100 banks each with 100,000 
keys. 

Such a system is cumbersome to the point of being 30 
impractical It is an object of the present invention to 
reduce the number of keys without substantially reduc- 
ing the security. 

This invention automatically generates an identifica- 
tion key for use in the automatic verification of a trans- 35 
action involving the transfer of funds by means of a 
telecommunications link which includes at least one 
nodal station contributing to the cryptographic function 
wherein said link connects a first station to a second 
station. In a preferred form of the invention there is 40 
only one nodal station in the link. The key is generated 
by combining an identification code acquired at the first 
station (hereinafter the "acquired code"), e.g. by auto- 
matically reading a customer's card, with an identifica- 
tion code stored at a first location (hereinafter the "sta- 45 
tion code"). The combination is. preferably achieved by 
using an or-gate on corresponding bits of the two identi- 
fication codes. The same two identification codes are 
required at a second location whereby the same combi- 
nation is performed to generate the same identification 50 
key at both first and second stations. (The first station is 
usually a retailer's terminal and the second station is 
usually the automatic processing equipment of a bank, 
conveniently referred to as "the bank".) 

The acquired code is available at the second location 55 
because it is the practice of banks to store data relating 
to their customers. The first station also acquires the 
storage address of the acquired code at the second sta- 
tion and this address is passed, via the telecommunica- 
tions link, to the second station. Thus the second station 60 
can retrieve the acquired code from its storage means. 
For the reasons given above, it is inconvenient to store 
at every bank all the data stored at all the terminals of 
all the retailers. Thus the station code is stored at the 
first station and at a nodal station but not at the second 65 
station. According to this invention the station code is 
passed from the nodal station to the second station by an 
automatic method wherein each nodal station receives a 



message from a predecessor station, and transmits a 
message to a successor station wherein each- nodal sta- 
tion: 

(a) accesses storage means using as address the iden- 
tity of its predecessor station to retrieve a predeces- 
sor key; 

(b) accesses storage means using as address the iden- 
tity of the successor station to retrieve a successor 
key; 

(c) encrypts the predecessor key as data with the 
successor key as key to generate a label; 

(d) concatenates the label with the received message 
to generate an extended message which is the mes- 
sage transmitted to the successor station. 

The message received at the second station includes a 
label generated at each nodal station. The second sta- 
tion uses the identity of the last nodal station as address 
to retrieve the key needed to decrypt the first label. This 
reveals a key which decrypts another label and the 
process continues until all the [labels are decrypted 
whereby the key used at the first station is revealed. The 
second station thus has the two identification codes 
neded for combination to generate the key. 

It is emphasized that the station code is potentially 
available at any nodal station but an outsider would 
require knowledge of an appropriate key to decrypt the 
labels and obtain the station code. However, the key 
used for the transaction also requires that the acquired 
code be available. This key is not available at any nodal 
station (and it is not available to an outsider). 

Our corresponding patent application (BT Patent 
Case 22963) 22963 describes (U.S. application Ser. No. 
581,897, filed concurrently herewith) describes an auto- 
matic process for confirming identities at two different 
stations which method comprises: 

(a) at the first station: 

(i) generating a first verification code by encrypt- 
ing data with a first identification key available at 
the first station 

(ii) transmitting said first verification code to the 
second station 

(b) at the second station: 

(i) receiving said first verification code 

(ii) decrypting, said first verification code using a 
first verification key available at the second sta- 
tion 

(in) generating a second verification code by en- 
crypting the de-crypt obtained in (b) (ii) with a 
second verification key available at the second 
station 

(iv) transmitting said second verification code to 
the first station; . 

(c) at the first station: 

0) receiving the second verification code 
(ii) utilizing a second verification key available at 
the first station to confirm that second verifica- 
tion code is derived from the same data as the 
first verification code. 
It is preferred to operate this process and the process 
of this invention in conjuction. Preferably the two 
methods are operated simultaneously. To utilize the 
combination, the "first identification key" specified in 

(a) 0) is the "identification key" generated by combin- 
ing the "acquired code" and the "station code" of this 
invention. The "second verification key" specified in 

(b) (m) is also sorted at the second location and acquired 
at the first location. 
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In a commercial transaction it is desirable to provide 
good security for the identification of a customer. It is 
conventional for persons to carry a card on which is 
recorded, in machine readable form, identification data. 
In case the card is lost the owner remembers a "personal 
identity number" or "PIN" which is provided to a re- 
taUer's terminal by means of a key pad. Identification 
which includes the PIN sometimes fails, even in the 
absence of fraud, because of human error in entering the 
PIN. 

In the operation of the method according to the in- 
vention it is preferred that the "acquired code" uses 
only data recorded on the card, which has the result 
that the "identification key" is not affected by human 
error. The "second verification key", which is retrieved 
from storage at the second station, preferably depends 
on the PIN, but the retrieval at the second station de- 
pends on an address automatically read from a card. 
The second station therefore returns a message to the 
first station which the first station tries to verify using 20 
the human-entered PIN. 

The process is initiated at the first station, e.g. after a 
retailer's terminal has acquired the relevant data from a 
customer. The initiation usually comprises the auto- 
matic transmission of a message to a nodal station, said 25 
message including: 

(a) an identification of the first station; 

(b) an identification of the second station; 

(c) the address of the acquired code at the second 
station, and, preferably; 

(d) A transaction component, being a definition of the 
proposed transaction and/or a random element, 
said transaction component being encrypted with 
the transaction key generated by combining the 
acquired code and the station code. 

Item (b) is used at each nodal station to select a suc- 
cessor station and set up a telecommunication link 
thereto. As stated above, item (b) is also used as the 
address to retrieve the successor key. 

The second key station decrypts all the labels and 40 
forms the transaction key as described above. It uses the 
transaction key to decrypt item (d) and verifies that the 
proposed transaction is permissible. If all is in order, the 
second station re-crypts the random element with a PIN 
related key and returns the encrypted message to the 45 
first station. The return does not need to pass via the 
nodal stations; any route set up by the public switched 
method is suitable. The first station decrypts the re- 
turned message and verifies identity using a key derived 
from the PIN input by a (human) customer on its key 30 
pad. This final step may fail because of human error and 
it is usual to offer the customer a plurality of attempts, 
e.g. up to four, to correct the error, but all these re-trials 
involve only the first location. It is clearly desirable that 
data representations transmitted through the nodal sta- 
tions should all be produced automatically whereby all 
transmitted data representations have machine accu- 
racy. 

An embodiment of the invention will now be de- 
scribed by way of example with reference to the accom- 
panying drawings in which: 

FIG. 1 illustrates one link which is set up for a single 
transaction. 

FIG. 2 illustrates the equipment at the first station, 

e.g. a retailer's terminal. 
FIG. 3 illustrates the equipment at a node, and 
FIG. 4 illustrates the equipment at the second station, 

eg. at a bank's terminal. 



30 



35 



55 



60 



65 



In an extensive fund transfer system, eg. covering the 
whole British Isles or the whole of the European Eco- 
nomic Community, there would probaby participate 
more than 100,000 retailers and more than 100 banks. It 
would be inconvenient to provide initial direct access 
from every retailer to every bank since this would re- 
quire at least 10 7 keys. This invention links the retailer 
and banks via nodal stations which perform crypto- 
graph functions. 

For example, the system could comprise 100 nodal 
stations each of which can be contacted, via a public 
switched telecommunications network, by 1000 retail- 
ers and 100 (i.e. all) the banks. (This reduces the number 
of keys from 10 7 to 2X 10 s .) 

It should be noted that this preferred embodiment 
utilizes only one nodal station in any one link, and the 
term "node" will be used to imply a link of this type. 

It is emphasized that the stations (i.e. first, second and 
nodal) communicate via a public switched telecommu- 
nications network which sets up the links needed to 
perform the method of the invention. The network 
includes switching centres which are included in the 
links. The switching centres do not contribute to the 
cryptographic system and the switching centres are not 
to be identified with nodal stations. 

The terminal 10, of a retailer reads a customer's card 
in reader 20. This identifies the customer and his bank 
12. Terminal 10 which has access to node 11 by modem 
28, (but not to any of the other 99 nodes in the network) 
transmits via link 13 this information to node 11 which 
sets up a connection 14 to bank 12. For verification, a 
transaction key is generated and this key is known only 
to terminal 10 and bank 12. It is an important feature 
that the transaction key is not kown to node 10, or 
anything else in the circuit except the two ends. Link 13 
and connection 14 are provided by a public switched 
network and, as is conventional, both include one or 
more switching centres. 

The transaction key is generated at terminal 10 and 
bank 12 from the following information. 

(1) Customer data This is information contained on a 
data card carried by the customer and, optionally, 
from a personal identification number known to the 
customer but not on the card. This information is 
acquired by card reader 20 and/or entered by the 
customer on a key pad (not shown) and entered 
therefrom into storage means 22 and 25 comprised 
in terminal 10. Similar information is also contained 
in storage means 46 at the bank 12 (but it is not 
available at node 11.) 

(2) Station Key of the Retailer This is a secret key 
available only at the terminal 10 in store 23 and the 
node 11 in store 34. The node 11 holds 1000 such 
keys in storage means 34 and, when a terminal 
identifies itself, the node retrieves the right key be 
accessing its storage means 34. The retailer's key is 
not available at the bank 12. 

(3) Bank Key This is a secret key available only at 
node 11 and bank 12. Each bank holds this key in its 
own storage means. The bank key is not available 
at the terminal 10. The bank-store 45 holds a differ- 
ent key for each node; the node-store 34 holds a 
different key for each bank 

The generation of the transaction key will now be 
described. 

Terminal 10 acquires customer data and the address 
of the customer's bank from card reader 20. The cus- 
tomer data is placed in stores 22 and 25; the bank's 
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address is placed in store 26. The terminal holds the result is stored in store 51 This replicates the process 
station key in store 23 and the retailer's identity in store used at terminal 10. This should generate the same 

transaction key which is stored at terminal 10. As this 
The customer data, in store 22, is combined with the key is known at both ends, it can be used to validate the 
station key, in store 23; using or-gatc 27 on correspond- 5 transaction. 

ing bits as in one-shot-pad encryption. This produces a It will be apparent that any failure to retrieve correct 
transaction key which is stored in store 29 at terminal 10 data will cause the sequence to fail and abort the trans- 
and which has to be made available at bank 12 without action . Any criminal attempt to operate a dishonest 
transmission. „ sequence would require exact knowledge of all the 

-J2 to ?ZS.«Tf , fc^ TV T ! 10 keys. Therefore keepmg the keys sewet is » important 
signal to the ^node 11, which ^agnal contain, in clear and requirement for a sure and secure operation, 
mtelhgible form, rts own identity from store 24, the Asa modification to enable the^L to operate 

fT* °! f "fT? ^Ifl even if node 11 fails, the terminal 10 JLy haveacc^to 

identity of ^customer's bank from store 26. No keys „ mustrated)^ moaS™ 

are transmitted; this » an important feature of the sys- 15 preferably requires a V 8econd key J^ZZT 

The node receives the signal on modem 30 and sepa- aS^S^ZtSt^ S&SJ. "TJ F* 8 * 
rates it to hold the retailer's identity in store 31, the S™,^f %Sh. JV> JL . ° f * 3 °™ X , 
bank's identity in store 32 and the customer's identity in SaSbSSSI^ Department of Commerce ° f 

store 33. 20 t , . 

Random access storage means 34 is addressed using . ^ keys can be used to operate the system described 
the content of store 31 (Le. the retailer's identity) to f^^f^v^^^, £J I*?** 
retrieve the retailer's key which is placed in store 37. 22963) U.S. application Ser. No. 581,897, filed concur- 
RAM 34 is also addressed using the content of store 32 rerrtly herewith. . 

to retrieve the bank key which is placed in store 36. 25 ; . above descn P uon B based on a transaction in- 
Cypher engine 38 uses the content of store 37 fi.e. the volvm g a customer, a retailer and the customer's bank 
retailer key)~as data and the content of store 36 (i.e. the wh , erem communication is via a node in a telecommuni- 
bank key) as key to produce an encrypted token which 0311011 network - 11 * a feature of the invention that an 
is placed in store 39. important part of the verification is assigned to the 

The node concatenates: 30 node * invention " generally applicable where it is 

(a) the content of store 33 (Le, the customer's alleged convenient to assign part of the verification to a node or 
identity); to verify that communication passed via an expected 

(b) the content of store 35 (Le. the identity of the node n ° dc - tne transaction would also involve the re- 
H); tailer's bank and communication would also pass via the 

(c) the content of store 39 (i.e. the encrypted token); 35 node * ™s of the transaction could also be verified 
and modem 40 transmits the resulting string to the bank ov the invention, e.g. by replacing ''Customer data" 
12. (item (I) above) by "Retailer data" available at the 

The bank 12 receives the composite signal on modem retailer's terminal and the retailer's bank (but not at the 
41 and separates it to obtain the following three items: node). 

(a) the alleged identity of the customer, which is 40 Th e description above relates to a preferred cmbodi- 
stored in store 44; ment wherein there is only one node between the first 

(b) the identity of the node 11, which is stored in store second stations. In certain circumstances it is desir- 
4% and able to utilize a chain of nodal stations, each of which 

(c) the encrypted token, which is stored in store 43. operates as described above, with the key of its prede* 
These are used in four steps as follows: 45 cessor in store 37 and the key of its successor in store 36. 

The bank decrypts each label in turn and each decryp- 
STEP 1 tion reveals the key for use in the next step. 

Item (a) is retrieved from store 44 and used to address A system with 10 7 retailers and 1 ,000 banks linked via 
the bank's storage means 46 to retrieve customer data 10,000 nodes would require 10 7 keys for use between 
(which should be identical with that read at terminal 10) 50 nodes and retailers and 10 10 keys for use between nodes 
and which is placed in store 51. and banks. It is possible to reduce the number of keys by 

STFP TT utilizing links with two nodal stations, i.e. retailer nodal 

u stations which communicate primarily with retailers 

Item (b) is retrieved from store 42 and used to address and bank nodal stations which communicate primarily 
the bank's storage means 45 to retrieve a bank key 55 with banks. 

(which should be identical to that used at node 11) and Using 10,000 retailer nodal stations and 10 bank nodal 
which is placed in store 47. stations would reduce the number of keys to 10 7 for use 

STEP m between retailers and retailer nodal stations; 1,000 for 

use between banks and bank nodal stations and 100,000 
Item (c) is retrieved from store 43 and decrypted by 60 between nodal stations, 
cypher engine 48 using as key the content of store 45. In use, the first station initiates the processes as de- 
The decrypt (which should be the station key used by scribed above and sends a message to its retailer nodal 
node 11) is stored in store 49. station which forms a first label by encryptioning a first 

CTEP jy key with a second key. The retailer nodal station con- 

65 catenates the first label and passes on the message to the 
The content of store 49 (Le. the retailer key generated bank nodal station appropriate to the desired second 
in step IE) is combined with the content of store 51 (i.e. station. The bank nodal station forms a second label by 
customer data retrieved in step I) in or-gate 50 and the encrypting the second key with a third key, concate- 
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nates the second label with the message and sends it to 
the second station. 

The second station retrieves the third key and de- 
cripts the second label to reveal the second key. It then 
uses the second key to decrypt the first label and reveal 5 
the first key. At this point the system proceeds as de- 
scribed above. 

It is emphasised that the methods disclosed herein are 
automatic methods carried out electronically. Refer- 
ence to "Key", "Data" and "Information" should be 10 
construed as representations suitable for automatic pro- 
cessing. Different forms of representation are appropri- 
ate in different parts of the method, e.g. electromagnetic 
or electrical pulses during transmission, magnetisation 
for storage and voltage or currents for processing ele- 15 
ments. 

I claim; 

1. A method for automatically establishing a transac- 
tion key at predetermined first and second stations in a 
system having a multitude of similar first and second 20 
stations joined by means of a telecommunication link 
and including but a single intermediate or nodal data 
processing station connected between said predeter- 
mined first and second stations, without revealing said 
transaction key at said nodal station, said method com* 25 
prising the steps of: 

(a) at the predetermined first station 

(i) combining first data available at both said prede- 
termined first and second stations with second 
data available at the first station and the nodal 30 
station, to generate the transaction key for use in 
encrypting further data to be transmitted to said 
second station, 

(ii) transmitting to the nodal station third data iden- 
tifying the first station, the second station and the 35 
address of the first data at the predetermined 
second station; 

(b) at the nodal station 

(i) accessing nodal storage means using the identity 
of the predetermined first station as an address to 40 
retrieve pre-stored data corresponding to said 
second data used in step (a) G)» 

(ii) accessing nodal storage means using the iden- 
tity of the predetermined second station as ad- 
dress to retrieve an encryption key characteristic 45 
of said second station, 

(iii) producing an encrypted label by encrypting 
the prc-stored data retrieved in step (b) CO with 
the encryption key retrieved in step (b) (ii), 

Gv) transmitting to the second station the identity 50 
of said nodal station; 

(c) at the predetermined second station 

CO accessing storage means located at the second 
station using the identity of the nodal station as 
address to retrieve an encryption key character- 55 
istic of the predetermined second station, 

(ii) decrypting the label with the key retrieved in 
step (c) CO. 

(iii) accessing storage means located at the second 
location using the address of the first data trans- 60 
mitted from the first station, 

Gv) combining the data retrieved in step (c) (iii) 
with the decrypt from step (c) (ii) in a replication 
of step (a) (i) to generate said transaction key at 
said second station; 65 
wherein, in a correct operation of the sequence, the data 
retrieved in step (c) (iii) is the same as the first data 
used in step (a) (i), and the decrypt obtained in step 
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(c) (ii) is the same as the second data used in step (a) 
(i), 

whereby the transaction key produced in step (c) pv) is 
■ the same as the transaction key produced in step (a) 
G). 

2. A method of acceding to claim 1, wherein step (a) 
(ii) further includes the transmission of data represent- 
ing the identity of the predetermined first station and 
additional data being transmission data encrypted with 
the transaction key code established in step (a) (i), as 
key. 

3. A method according to claim 2, wherein the trans- 
mitted data includes a random element 

4. A method according to claim 2, wherein a further 
step (b) (iv), occurring between steps (b) (iii) and (c) (i), 
includes transmitting data representing the identity of 
the nodal station, and forwarding the encryped addi- 
tional data received from the predetermined first sta- 
tion, 

5. A method according to claim 4, wherein the prede- 
termined second station decrypts the encrypted addi- 
tional data using as key the transaction key generated in 
step (c) Gv). 

6. A method according to claim 5, in which the trans- 
action keys of steps (a) G) and (c) (iv) are generated by 
an exclusive-or-gate. 

7. A station, adpated to participate in a method ac- 
cording to claim 2, as said predetermined first station 
and comprising; 

(a) input means for acquiring 

(i) data representing identification of a second sta- 
tion, 

(ii) said first data, and 

(iii) data representing an address where the first 
data is stored at the second station; 

(b) storage means operatively connected to the input 
means for storing the data acquired by the input 
means; 

(c) storage means for storing said second data repre- 
senting a station code; 

(d) combining means for combining the first data and 
the second data; 

(e) concatenating means for producing message data 
by contatenating the data representing the identity 
of the second station, the address of the first data at 
the second station and data representing an identifi- 
cation of the predetermined first station; and 

(f) means, operatively connected to the concatenating 
means, for transmitting the message to a nodal 
station. 

8. A first station according to claim 7, wherein the 
combining means is an exclusive-or-gate means for ac- 
cepting and combining the first data and second data as 
input 

9. A station, adapted to participate in a method ac- 
cording to claim 5 as said predetermined second station 
and comprising 

(a) storage means for storing data representing 

G) the identity of nodal stations properly able to 
communicate with the second statin, and 

(ii) the identity of customers associated with this 
second station; 

(b) retrieval means for accessing the storage means 
with data representing the identity of a nodal sta- 
tion and retrieving a key associated with this sec- 
ond station; 

(c) cypher engine means for decrypting a label using 
as key the retrieval key of this second station; 
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(d) retrieval means for accessing the storage means 
with the data representing the identity of a cus- 
tomer as address to retrieve the first data also used 
at the first station; and 

(e) combining means for combining the locally re- 5 
trieved first data with the retrieved key of this 
station to obtain the transaction key. 

10. A station according to claim 9, wherein the com- 
bining means is an exclusive-or-gate means for accept- 
ing the retrieved key of this station obtained from said 10 
cypher engine means and the locally retrieved first data 
from the retrieval means as input 

11. An automatic process for establishing the same 
cryptographic identification key at first and second 
stations joined by a telecommunications link which 15 
includes a data processing nodal station, said establish- 
ment being achieved without revealing said key at said 
nodal station, which method comprises 

(a) at the first station 

(i) combining initiation data available at both first 20 
and second stations with identification code data 
available at the first station and said nodal station 
to generate the identification key; 

(iii) transmitting to the nodal station an identifica- 
tion of the first station! of the second station and 25 
the address of the initiation data also located in 
data storage means at the second station; 

(b) at said nodal station accessing storage means at the 
nodal station using the identity of the first station as 
an address to retrieve identification code data cor- 30 
responding to that used in step (a) (i) and passing 
said retrieved code data and the identity of said 
nodal station to the second station; 

(c) at the second station 

(i) receiving the retrieved code data retrieved in 35 
step(b); 

(ii) accessing storage means located at the second 
location using the address transmitted from the 
fust station to retrieve said initiation data; 

(iii) combining the retrieved initiation data re- 40 
trieved in step (c) fii) with the retrieved code 
received in step (c) (i) in a replication of step (a) 

Q) to locally generate said ^identification key at 

said second station; 
wherein, in a correct operation of the sequence, the 45 
initiation data retrieved in step (c) (ii) is the same as 
the initiation data used in step (a) (i) and the retrieved 
code received in step (c) (w) is the same as the identi- 
fication code data used in step (a) (i) whereby the 
identification key produced in step (c) (iii) is the same 50 
as the identification key produced in step (a) (i). 

12. Apparatus to be located at a service point for 
achieving secure cryptographic data communication, 
concerning a customer to be serviced, with a predeter- 
mined one of plural remote stations via a predetermined 55 
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one of plural intermediate data processing nodes and 
wherein (1) each said remote station maintains address- 
able stored key data KD1" for each valid customer and 
stored key data KD2" for the remote station address- 
able via data representing each valid node; and (2) each 
said node maintains node identification data NID for 
tran sm is si on to the remote station, addressable stored 
key data KD3' representing each valid service point, 
and addressable stored key data KD2' representing each 
valid remote station, wherein KD3' is encrypted by 
KD2' and transmitted to the remote station where it is 
decrypted by KD2" to yield key data KD3" corre- 
sponding to the service point which is then combined 
with DK1" to generate a cryptographic transaction key 
at the remote station; said apparatus comprising at each 
service point; 
data reader means for generating key data KD1 and 
further data Dl representing said customer and for 
also generating data D2 representing the remote 
station; 

data storage means for storing key data KD3 and 
further data D3 representing the service point; 

key generation means for combining said DK1 and 
KD3 data to produce a cryptographic transaction 
key at the service point identical to the one gener- 
ated at the remote station; and 

means for transmitting to said node said Dl, D2 and 
D3 data. 

13. Apparatus as in claim 12 further comprising at 
each node: 

data storage means for storing said KD2 / and KD3' 
data and for addressably accessing same using said 
D2 and D3 data respectively received from a ser- 
vice point; 

data storage means storing said NID data; 

encryption means for encrypting one of said accessed 
KD3' and KD2' data using the other as a key pro- 
ducing encrypted data KD2'(DK30; and 

means for transmitting to said remote station said Dl, 
KD2'(DK3') and NID data. 

14. Apparatus as in claim 13 further comprising at 
each remote station: 

data storage means for storing said KD1" and KD2" 
data and for addressably accessing same using said 
Dl and NID data respectively received from a 
node; 

decryption means for decrypting said KD2'(KD3') 
data using said accessed KD2" data as a key pro- 
ducing decryped data KD3"; and 

key generation means for combining said KD1" and 
KD3" data to produce a cryptographic transaction 
key at the remote station identical to the one gener- 
ated at the service point 

***** 
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[57] ABSTRACT 

A cipher-key distribution system used in a one-way 
communication from a first party to a second party. The 
cipher-key distribution system is composed of a first 
subsystem, a second subsystem, and a common file 
which stores information publically accessible by the 
first and second subsystems. The first subsystem gener- 
ates a cipher-key based on a constant, receiving party 
identifying information, a random number, and public 
information from the common file. The first subsystem 
also generates a key distributing code based on a con- 
stant, a random number and a first secret information 
and transfers the key distributing code to a second sub- 
system. The second subsystem receives the key distrib- 
uting code and information for identifying the first 
party and generates a second cipher-key identical to the 
cipher-key generated by the first subsystem. The second 
cipher-key is created from the information for identify- 
ing the first party, a second secret information, and the 
key distributing code. The first subsystem, instead of 
generating and transmitting a key distributing code, 
may simply transmit information for identifying the first 
communicating party to the second subsystem. 
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CIPHER-KEY DISTRIBUTION SYSTEM 

DETAILED DESCRIPTION OF THE 
INVENTION 

The present invention relates to a key distribution 
system for the one-way communication, from a sending 
party to a receiving party, of a cipher-key for use in 
conventional cryptosystems. 

BACKGROUND OF THE INVENTION 

Well-known prior art key distribution systems in- 
clude the Diffie-Hellman (DH) system and the ID- 
based system. The former is disclosed in DifTie and 
Hellrnan, "New Direction in Cryptography* 1 in the 
IEEE Transaction on Information Theory, Vol. 22, No. 
6, p. 644. According to the DH system which stores 
public information for each communicating party, if 
party A is to communicate with party B in cipher, A 
prepares a cipher-key from B's public information Yb 
and its own secret information X^, This method, how- 
ever, allows another party to pretend to be an autho- 
rized party by illegitimately altering public information. 

For information on the latter, the ID-based key distri- 25 
bution system, reference may be made to the U.S. Pat. 
No. 4,876,716, uses public identification information 
such as the name of each communicating party to pre- 
pare a cipher-key. The ID-based system is immune from 
illegitimate alteration of public information. As it re- 30 
quires two-way communication, however, there is the 
problem of imposing large overhead on both the send- 
ing and the receiving parties if a cryptogram is to be 
sent by an existing mail system. 

The DH key distribution system also involves the 35 
problem of letting an unauthorized receiver pretend to 
be an authorized user by altering public information. 

SUMMARY OF THE INVENTION 

An object of the present invention is to provide a 40 
system cleared of the above mentioned disadvantages. 

A first system according to one aspect of the inven- 
tion is a cipher-key distribution system for distributing a 
cipher key for use in cipher communication by one 
party with another, provided with: 45 
a common file for storing public information in a 
position indicated by receiving party identifying 
information, and . first and second subsystems, 
wherein: 

said first subsystem comprises: 50 

reading means for reading said public information out 
of said common file; 

random number generating means for generating, 
random numbers; 
' first cipher-key generating means for generating a 55 
cipher key on the basis of a constant, said receiving 
party identifying information given from outside, a 
random number generated by said random number 
generating means and the public information read 
out by said reading means; 60 

secret information holding means for holding the 
secret information of the communicating party 
using this subsystem; 

key distributing code generating means for generat- 
ing a key distributing code on the basis of said 65 
constant, said random number and the secret infor- 
mation given from said secret information holding 
means; and 



transmitting means for transmitting the key distribut- 
ing code generated by the key distributing code 
generating means and the information for identify- 
ing the communicating party, and 
said second subsystem comprises: 
receiving means for receiving the key distributing 
code , and the identifying information from said 
transmitting means of the first subsystem; 
constant holding means for holding the constant; 
secret information holding means for holding the 
secret information of the communicating party 
using this subsystem; and 
second cipher-key generating means for generating a 
cipher key, which is identical with the cipher-key 
generated by said first cipher-key generating 
means, on the basis of the key distributing code and 
identifying information from said receiving means, 
the constant from said constant holding means and 
the secret information from said secret information 
holding means. 
A second system according to another aspect of the 
invention is a cipher-key distribution system for distrib- 
uting a cipher key for use in cipher communication by 
one party with another, provided with: 
a common file for storing public information in a 
position indicated by receiving party identifying 
information, and first and second subsystems, 
wherein: 
said first subsystem comprises: 
first reading means for reading said public informar 

tion out of said common file; 
secret information holding means for holding the 
secret information of the communicating party 
using this subsystem; 
first cipher-key generating means for generating a 
cipher key on the basis of a constant, receiving 
party identifying information given from outside, 
the public information read out by said first reading 
means and the secret information from said secret 
information holding means; and 
transmitting means for transmitting the information 
for identifying the communicating party using this 
subsystem, and 
said second subsystem comprises: 
receiving means for receiving the identifying infor- 
mation given from said transmitting means; 
constant holding means for holding the constant; 
secret information holding means for holding the 
secret information of the communicating party 
using this subsystem; 
second reading means for reading said public infor- 
mation out of said common file, and 
second cipher-key generating means for generating a 
cipher key, which is identical with the cipher-key 
generated by said first cipher-key generating 
means, on the basis of the identifying information 
from said receiving means, the constant from said, 
constant holding means, the secret information 
from said secret information holding means, and 
the public information given from said second 
reading means. 
A third system according to still another aspect of the 
invention has, within the first subsystem of the first 
system, a personal file for storing part of the informa- 
tion stored in the common file. 

A fourth system according to yet another aspect of 
the invention has, within the first subsystem or subsys- 
tems of at least one of the first, second and third sys- 
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terns, verifying means for verifying the information read pan of a new subscriber gives a subscription request 23 

out of the common file. as required. At a key distribution center 100, an inquiry 

~« * ,,, T v^o is made as to the presence or absence of a subscription 

BRIEF DESCRIPTION OF THE DRAWINGS request> an(J the ;/ quiry u continucd until a subscri ption 

Other features and advantages of the present inven- 5 request is given (step 14). When the inquiry at step 14 

. tion will become more apparent from the following finds an affirmative reply, identifying information ID/ 

detailed description when taken in conjunction with the for the pertinent subscriber i is set in response to an ID 

accompanying drawings in which: application 24 by the subsystem 101 or 102 (step 15). 

FIG. 1 shows preparatory steps for First, third and Next, by using this identifying information ID/, secret 

fifth preferred embodiments of the invention; 10 information S,*is figured out by the following equation 

FIG. 2 illustrates the first preferred embodiment of (step 16): 
the. invention; 

FIG. 3 shows preparatory steps for second, fourth s,=(lDi)- 1/( mod n 
and sixth preferred embodiments of the invention; ■ 

FIG. 4 illustrates the second preferred embodiment 15 where a(mod b) means the remainder of the division of 

of the invention; a by b. To the new subscriber i are distributed n, a, t, 

FIG. 5 illustrates the third preferred embodiment of ID* and S„ generated at these steps 12, 13 and 16 (step 

the invention; 17). 

FIG. 6 illustrates the fourth preferred embodiment of The system on the part of the new subscriber i re- 

the invention; 20 ceives n, a, t, ID, and the secret information S/distrib- 

FIG. 7 illustrates the preparation for the fifth pre- uted at step 17 (step 18). Next, another piece of secret 

ferred embodiment of the invention, taking place after information (a random number) r/is generated (step 19). 

the preparatory steps shown in FIG. 1; Then, on the basis of the received secret information S/, 

FIG. 8 illustrates the fifth preferred embodiment of the newly generated information r,- and a, which be- 

the invention; 25 came a primitive element at step 13, public information 

FIG. 9 illustrates the preparation for the sixth pre- X/is generated by the following equation (step 20): 
ferred embodiment of the invention, taking place after 

the preparatory steps shown in FIG. 3; X^Sral mod n 

FIG. 10 illustrates the sixth preferred embodiment of 

the invention; and 30 Referring to FIGS. 1 and 3, the generated public 

FIG. 11 illustrates the configurations of the first sub- information X/is stored into a designated address ID/ in 

system 101 and the second subsystem 102 shown in the common file 105. Then the secret information pieces 

FIGS. 2 and 4 through 10. $/ ar *d r* are stored into secret information holding 

In the figures, the same reference numerals denote means 1012, n, a and t are stored into constant holding 

respectively the same constituent elements. 35 means 1013 and, at the same time, ID/ is stored into 

identifying information holding means 1015 (step 22). 

DETAILED DESCRIPTION OF THE Steps n t0 17 are ass jg nec i to the key distribution center 

PREFERRED EMBODIMENTS 100 The identifying information ID/, which is assigned 

Referring to FIGS. 2, 4, 8 and 10, each of the pre- by the center to be different from one communicating 

ferred embodiments of the present invention illustrated 40 party to another, turns generally known pieces of infor- 

therein includes a first subsystem 101, a second subsys- mation such zs the personal name and address into iden- 

tem 102, an insecure cryptogram communication chan- tifying codes according to, for instance, the ASCII 

nel 103 for transmitting a cryptogram from the subsys- formula. 

tern 101 to the subsystem 102, an insecure intermediate Now will be described in detail, with reference to 

key communication channel 104 for transmitting a code 45 FIG. 2, a first preferred embodiment of the present 

Ya for distributing a coded key from the subsystem 101 invention in which the public information stored in the 

to the subsystem 102, a common file 105 for storing common file 105 is accessed by each communicating 

public information X,* containing identifying informa- party. 

tion ID/, and a line 106 for connecting the common file It is supposed that, in this first preferred embodiment, 

105 and the subsystem 101. The subsystems 101 and 102 50 a sending party A accesses the common file 105, and 

are used by communicating parties A and B, respec- that, at the key distribution center 100, a conversion 

tively. formula and a common parameter are set and personal 

First will be described in detail the procedure of secret information is distributed as shown in FIG. 1. 

registration into the common file 105, which is one of The subsystem 101 generates a random number from 

the characteristic features of the present invention, with 55 random number generating means 1011 and, at the same 

reference to FIGS. 1 through 3. time, reads out secret information Sa from the secret 

This action takes place before a cryptogram is trans- information holding means 1012 for A and constants d 

mined. and n from the constant holding means 1013. Then key 

FIG. 1 shows how preparations are made for the distribution code Y A generating means 1014 generates a 

generation of cipher-keys and Kb in a preferred 60 code Ya as an intermediate cipher-key in accordance 

embodiment of the invention. with: 

First, large prime numbers p and q are selected (step 

11). Then the product n of these two large prime num- Y^S^a'Onod n) 
bers p and q is calculated (step 12). Further, t is selected 

as a number mutually prime to (p— l)-(q — 1), and a is 65 The code Y A generated by the generating means 1014 

selected as a positive integer smaller than n, which and identifying information ID.4 for A are sent out to 

becomes a primitive element GF(p) and GF(q) (step the line 104 by transmitting means 1016. Code Y* re- 

13). After that, either the subsystem 101 or 102 on the ceiving means 1022 of the subsystem 102 receives the 
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code Ya provided via the line 104 and the identifying 
information ID^. Using the identifying information 
ID^ and the. code from the receiving means 1022, 
constants t and n from constant holding means 1021, 
and secret information tb from secret information hold- 
ing means 1028 for B, cipher-key Regenerating means 
1023 generates a cipher-key Kb in accordance with: 

K 5 =(Y/.rD^/B(mod n) 

Here Kj=o/B"(mod n) because = S^a'A' 
=(ID^)- 1 .a''A f (modn). 

There is no need to send second key distributing 
information from the second subsystem 102 to the sub- 
system 101 of the sending party A, because public infor- 
mation on the receiving party B is stored in the common 
file 105 and therefore the subsystem 101 for itself can 
read out this public information. 

Thus the subsystem 101 obtains identifying informa- 
tion IDs for the receiving party B from outside with 
input means 1017 and, at the same time, common file 
reading means 1018 uses this information IDs to read 
out public information Xb on B from the common file 
105. 

Cipher-key generating means 1019, using these pieces 
of information IDs and Xb, generates a cipher-key 
in accordance with: 

K^CX^IDj/mod n 
Here K A =a r B tr mod n because Xy=S^a r B r 
=(IDi?)- l .a'B'(mod n). 

Therefore, the cipher-key Ka generated by the ci- 
pher-key Ka generating means 1019 of the subsystem 
101 and the cipher-key generated by the cipher-key 
Kb generating means 1023 of the subsystem 102 become 
identical, so that key distribution can be achieved. 

Thus the sending party A can cipher his message with 
the subsystem 101 by accessing the common file 105 
with the identifying information IDb for the receiving 
party B. The key can be generated irrespective of the 
presence or absence of the receiving party B, and the 
key distributing code Ya and the identifying informa- 
tion ID^ can be transmitted together with the ciphered 
message. 

An impostor intending to pretend to be a legitimate 
communicating party i by altering public information 
X, can do so if he finds X and r to satisfy the following 
equation: 

X ( .ID,«a fr mod n 

The difficulty to meet this requirement, however, even 
in collusion with another legitimate party is evident 
from, for instance, Advances in Cryptology — Crypto 
'87, pp. 196-202. This literature further explains that, 
even if said X/ is made public, neither S/ nor r/, both 
secret information, can be disclosed. 

Next will be described in detail, with reference to 
FIG. 4, a second preferred embodiment of the inven- 
tion, which is characterized by a procedure to verify 
public information after it is read out. . 

First, preparatory steps for the execution of this sec- 
ond embodiment will be explained in detail with refer- 
ence to FIG. 3. 
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Referring to FIG. 3, first of all, large prime numbers 
p and q are selected (step 11). Next, the product n of 
these two large prime numbers p and q is calculated 
(step 12). Then, t is selected as a number mutually prime 
5 to (p— l)-(q— 1); a is selected as a positive integer 
smaller than n, which becomes a primitive element in 
GF(p) and GF(q), and further is selected a two-variable 
one-way function f (step 13), After that, either the sub- 
system 101 or 102 on the part of a new subscriber gives 
10 a subscription request 23 as required. 

At a key distribution center 100, an inquiry is made as 
to the presence or absence of a subscription request, and 
the inquiry is continued until a subscription request is 
given (step 14). When the inquiry at step 14 finds an 
15 affirmative reply, identifying information ID,- for the 
pertinent subscriber i is set in response to an ID applica- 
tion 24 by the subsystem 101 or 102 (step 15). 

Next, by using this identifying information ID,-, secret 
information St is figured out by the following equation 
20 (step 16): 

S/=(ID/) 1/r mod n * 

To the new subscriber i are distributed f, n, a, t, ID/ 
25 and Si t generated at these steps 12, 13 and 16 (step 17). 
The system on the part of the new subscriber i re- 
ceives f, n, a, t, ID/and the secret information S,- distrib- 
uted at step 17 (step 18). Next, a randon number r/ is 
generated (step 19). Then, on the basis of the received 
30 secret information S/, the newly generated secret infor- 
mation (random number) r/ and a, which became a 
primitive element at step 13, pieces of public informa- 
tion U/and V/are generated by the following equation 
(step 20): 

35 

U/= a t,r i mod n 
V / =S/.e/W>' I modn 

40 Referring to FIGS. 1 and 3, the generated public 
information pieces I J; and Ware stored into the com- 
mon file 105. Then the received secret information, 
pieces S/ is stored into secret information holding means 
1012, n, a and t are stored into constant holding means 
45 1013 and, at the same time, ID/ is stored into identifying 
information holding means 1015 (step 22). 

Steps 11 to 15 and 23 to 24 are assigned to the key 
distribution center 100. 

Now will be described in detail, with reference to 
50 FIG. 4, a second preferred embodiment of the present 
invention in which the public information stored in the 
common file 105 is accessed by each communicating 
party. 

It is supposed that, in this second preferred embodi- 
55 mem, a sending party A accesses the common file 105, 
and that, at the key distribution center 100, a conversion 
formula and a common parameter are set and personal 
secret information is distributed as shown in FIG. 3. 
The subsystem 101 generates a random number from 
60 random number generating means 1011 and, at the same 
time, reads out secret information from the secret 
information holding means 1012 for A and constants n, 
t and a from the constant holding means 1013. Then key 
distribution code Za and \V 4 generating means 1014 
65 generates codes Za and W ^ as intermediate cipher-keys 
in accordance with: 



01/14/2004, EAST Version: 1.4.1 



5,029,208 



8 



W^-S^a^A- /D A>(mod n) 



The codes Z A and generated by the generating 
means 1014 and identifying information ID a for A are 5 
sent out to the line 104 by transmitting means 1007. 
Receiving means 1030 of the subsystem 102 receives the 
codes Za and provided via the line 104 and the 
identifying information IDa- Using the identifying in- 
formation ID a and the codes Za and from the re- 10 
ceiving means 1030, a function f from constant holding 
means 1021 and the constants t and n, verifying means 
1024 checks whether or not '/Z^A* 7i> A> is equal 
to ID^(mod n). 

If the verifying means 1024 verifies the equality, it 15 
sends an OK signal to generating means 1023. 

In response to this OK signal, the cipher-key generat- 
ing means 1023, using secret information r^from hold- 
ing means 1028, generates a cipher-key Kb in accor- 
dance with: 20 

K 5 =2^'B(mod n) 



Here, K fl =a"- r B(mod n). 



25 



There is no need to send second key distributing 
information from the second subsystem 102 to the sub- 
system 101 of the sending party A, because public infor- 
mation on the receiving party B is stored in the common 
file 105 and therefore the subsystem 101 for itself can 30 
read out this public information. 

Thus the subsystem 101 obtains identifying informa- 
tion IDj.for the receiving party B from outside with 
input means 1017 and, at the same* time, reading means 

1018 reads out public information X$ on B from the 35 
common file 105 in accordance with this information 
IDfl{mod n). 

Then, verifying means 1010 checks whether or not 
W^/Ui^' /DB) is equal to ID^mod n). 

If the verifying means 1010 verifies the equality, it 40 
sends an OK signal to generating means 1019. 

The cipher-key generating means 1019, using the 
public information Ub provided from reading means 
1018, generates a cipher-key Ka in accordance with: 

45 

K^ = U^(mod n) 

Here, KA-a 1 rr B(mod n) because U£=a fr B mod n. 

Thus is achieved key distribution as the cipher-key 50 
Ka generated by the cipher-key Ka generating means 

1019 of the subsystem 101 and the cipher-key Kb gener- 
ated by the cipher-key Regenerating means 1023 of the 
subsystem 102 become identical. 

An impostor intending to pretend to be a legitimate 55 
communicating party i by altering public information 
U/, V,-or key generating information Z/, W/can do so if • 
he finds X and Y to satisfy the following equation: 



XA X - /D i>ID/=Y' mod 0 



60 



The difficulty to meet this requirement, however, ever 
in collusion with another legitimate party is described 
in, for instance, IEEE Journal on Selected Areas in 
Communication, Vol. 7, No. 2, pp. 290-294. This litera- 65 
ture further explains that, even if said U,\ V/ is made 
public or said Z,-, W,is tapped, neither s/, r,nor r can be 
disclosed. 



Next will be described in detail, with reference to 
FIG. 5, a third preferred embodiment of the invention, 
in which both the first subsystem 101 and the second 
subsystem access the common file 105. 

It is supposed that, in this third preferred embodi- 
ment, a sending party A and a receiving party B access 
the common file 105, and that, at the key distribution 
center 100, a conversion formula and a common param- 
eter are set as shown in FIG. 1. Referring to FIG. 5, 
identifying information for the receiving party B is 
entered from input means 1017. In response to this in- 
put, common file reading means 1018 reads out public 
information X#on B from a position indicated by ID^in 
the common file 105. Cipher-key generating means 
1019, using secret information ta from secret informa- 
tion holding means 1012 for A and constants n and t 
from constant holding means 1013, generates a cipher 
key K^ in accordance with: 

K-* = (Xy-IDfi)'Amodn 

Here, K^i=ar^ r A mod n because Xj^S^a'B' 
= (ID^)-» a r^(mod n). 

Identifying information IDa from identifying infor- 
mation ID^ holding means 1015 for A is supplied to 
receiving means 1031 of the subsystem 102 via transmit- 
ting means 1008 and a line 104. The information ID,.* 
supplied from the means 1031 is further provided to the 
common file 105 via reading means 1024 and a line 107. 
The common file 105 outputs public information Xa 
from a position indicated by this IDa and this public 
information X^, accompanied by ID a in the reading 
means 1024, is given to the cipher-key generating means 
1023. 

The cipher-key generating means 1023, using con- 
stants n and t from constant holding means 1021 and 
' secret information tb from secret information holding 
means 1028 for B besides these information pieces X^ 
and ID^, generates a cipher-key K^in accordance with: 

KB^OC/.ID^yB mod n 

Therefore, key distribution can be achieved if the 
cipher-key K^ generated by the cipher-key Ka generat- 
ing means 1019 of the subsystem 101 and the cipher-key 
Kb generated by the cipher-key K^ generating means 
1023 of the subsystem 102 become identical because: . 

K /< =a'B. ,r Amodn = K5 

Thus, where both the sending party A and the receiv- 
ing party B access the common file 105, the subsystem 
101 can achieve key distribution merely by adding its 
own identifying information ID^ to the ciphered mes- 
sage without having to prepare or transmitting a key 
distribution code. 

Next will be described in detail, with reference to 
FIG. 6, a fourth preferred embodiment of the invention, 
in which both the first subsystem 101 and the second 
subsystem access the common file 105. 

It is supposed that, in this fourth preferred embodi- 
ment, a sending party A and a receiving party B access 
the common file 105, and that, at the key distribution 
center 100, a conversion formula and a common param- 
eter are set as shown in FIG. 1. Referring to FIG. 6, 
identifying information for the receiving party B is 
entered from input means 1017. In response to this in- 
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put, common file reading means 1018 reads out public 
information U$, V^on B from a position indicated by 
IDs in the common file 105. 

Verifying means 1010 checks whether or not V B \J/' 
tl B, ^ is equal to ">B(radd n). 5 

If the verifying means 1010 verifies the equality, it 
sends an OK signal to cipher-key generating means 
1019. 

Cipher-key generating means 1019, using secret infor- 
mation ta from secret information holding means 1012 10 
for A and a constant n from constant holding means 
1013, generates a cipher key K A in accordance with: 

K^WAmod n 

15 

Here, K^c/B'-'A mod n because U*=a'B-'-'A(mod 
n). 

Identifying information ID^ from identifying infor- 
mation ID,* holding means 1015 for A is supplied to 20 
receiving means 1031 of the subsystem 102 via transmit- 
ting means 1008 arid a line 104. The information ID^ 
supplied from the means 1031 is further provided to the 
common file 105 via reading means 1024 and a line 107. 
The common file 105 outputs public information U^, 25 
Va from a position indicated by this ID A and public 
information LU, V^, accompanied by ID^ in the reading 
means 1024, is given to the verifying "means 1040. 
. Verifying means 1040 checks whether or not V^ f - 
/U^A' ">A) is equal to ID^ mod n. 30 

If the verifying means 1040 verifies the equality, it 
sends an OK. signal to cipher-key generating means 
1023. 

The cipher-key generating means 1041, using infor- 
mation U/i, a constant n from constant holding means 3 5 
1021 and secret information r^from secret information 
holding means 1028 for B generates a cipher-key Kb in 
accordance with: 

K fi «L\ 4 'Bmodn 40 

Therefore, key distribution can be achieved if the 
cipher-key Ka generated by the cipher-key generating 
means 1019 of the subsystem 101 and the cipher-key Kb 
generated by the cipher-key generating means 1023 of 45 
the subsystem 102 become identical because: 

K^^a'B ^A mod o = Kfi 

Next will be described in detail, with reference to 59 
FIGS. 7 and 8, a fifth preferred embodiment of the 
invention. 

It is supposed that, at the key distribution center 100 f 
a conversion formula, a common parameter and secret 
information S fl are set as shown in FIG. 1. .55 

After the preparatory steps shown in FIG. 1, prepara- 
tions particularly for the fifth embodiment are accom- 
plished as described below. 

Referring to FIG. 7, identifying information for a 
receiving party B, with whom a sending party A fre- 60 
quently communicates, is entered from input means 
1017. In response to this input, common file reading 
means 1018 reads out public information Xb on B from 
a position indicated by IDjtn the common file 105. 

Xb generating means 1032, using Xb from reading 65 
means 1018 and constants n and t from the constant 
holding means 1009, converts the public information 
Xfiinto an easier-to-handle form in accordance with: 



and stores Xb' into the IDs address in a personal file 
140. , 

Next will be described the fifth preferred embodi- 
ment of the invention in further detail with reference to 
FIG. 8. 

Referring to FIG. 8, receiving party identifying infor- 
mation input means 1017 enters receiving party identi- 
fying information ID*. Then judging means 1033 judges 
whether or not the converted public information Xb 1 
has been stored into the personal file 140. In response to 
an affirmative judgment, personal file reading means 

1034 provides ID* to read the public information Xb' 
out Of the personal file 140. Cipher-key generating 
means 1035, using a random number r from random 
number generating means 1011, generates a cipher-key 
in accordance with: 

Ky = (X 5 Traod n 

If the judgment by the judging means 1033 is negative, 
the subsystem 101 obtains public information X^for the 
receiving party B from the common file 105 with the 
common file reading means 1018 as well as externally 
provided identifying information ID^for the receiving 
party B with the input means 1017. The random number 
generating means 1011 generates the random number r. 
Cipher-key generating means 1019, using the public 
information Xb and the identifying information ID5 
from the reading means 1018, the random number r 
from the generating means 1011, and constants n and t 
from constant holding means 1013, generates a cipher- 
key K,4 in accordance with: 

K,4=(XsMDa)'modn 

Both the cipher-key generated by the generating means 

1035 and that by the generating means 1019 are K A . 
=a r B rr mod n. Key distributing code Ya generating 
means 1014, after reading out secret information 
from secret information holding means 1012 for A and 
the constants n and a from the constant holding means 
1013, uses said random number r to generate a key dis- 
tributing code Ya in accordance with: 

V^ = S^a'(mod n) 

The code generated by the generating means 1014 
and the identify information ID^ for A are sent out to 
the line 104 by transmitting means 1016, Code Ya re- 
ceiving means 1022 of the subsystem 102 receives the 
code Ya and the identifying information ID.4 for A, both 
provided via the line 104. Using the identifying informa- 
tion ID>< and the code Ya from the receiving means 
1022, the constants t and n from the constant holding 
means 1021, and secret information r^from secret infor- 
mation holding means 1028 for the receiving party B, 
generating means 1023 generates a cipher-key Kb in 
accordance with: 

• Kfi=(Yy.ID,<)T) (mod N) 

Here, K B = a r B» (mod n) 

Therefore, key distribution can be achieved because 
the cipher-key generated by the cipher-key generat- 
ing means 1019 and 1035 of the subsystem 101 and the 
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cipher-key Kb generated by the cipher-key generating 
means 1023 of the subsystem 102 become identical. 

Next will be described in detail, with reference to 
FIGS. 9 and 10, a sixth preferred embodiment of the 
invention. 5 

First it is supposed that, at the key distribution center 
100, a conversion formula, a common parameter and 
secret information S 0 are set as shown in FIG, 1. 

Preparations for the sixth embodiment are accom- 
plished as described below. 10 

Referring to FIG. 9, identifying information for a 
receiving party B, with whom a sending party A fre- 
quently communicates, is entered from input means 
1017. In response to this input, common file reading 
means 1018 reads out public information Uj, Vb on B 15 
from a position indicated by IDs in the common file 
105. 

Verifying means 1010 checks whether or not 
V^AJ^^B* /D B) is equal to ID* (mod N). 

If the verifying means 1010 verifies the equality, it 20 
stores the public information Us into the IDj address of 
the persona] file 140. 

Next will be described the sixth preferred embodi- 
ment of the invention in further detail with reference to 
FIG. 10. 25 

Referring to FIG. 10, receiving party identifying 
information input means 1017 enters receiving party 
identifying information ID5. Then judging means 1033 
judges whether or not the public information Vb has 
been stored into the personal file 140. In response to an 30 
affirmative judgment, personal file reading means 1034 
provides IDb to read the converted public information 
\Jb out of the personal file 140. If the judgment by the 
judging means 1033 is negative, common file reading 
means 1018 reads public information Vb* Vb for B out 35 
of a position indicated by IDb in the common file 105, 

Verifying means 1010 checks whether or not 
Vy/U^^B. *OB) is equal to ID fl (mod n). 

If the verifying means 1010 verifies the equality, it 
supplies an OK signal to cipher-key generating means 
1035. 

The cipher-key generating means 1035, using the 
random number from the random number generating 
means 1011, generates a cipher-key in accordance with: 



40 



45 



Key distributing code Za, generating means 1014, 
using the random number r from the random number 
generating means 1011, the' secret information Sa from 50 
secret information holding means 1012, the function f 
and the constants n, a and t from the constant holding • 
means 1013, generates key distributing codes Za and 
W4 in accordance with; ^ 

Z A ~a" (mod N) 

W^S^a^A- ID A> (mod n) 

The codes Za and generated by this generating 60 
means 1014 and the identifying information ID^ from 
holding means 1015 are sent out by transmitting means 
1016. The information ID^ and' the codes Za and W. 4 
transmitted via a line 104 are received by receiving 
means 1030 of the second subsystem 102 and, at the 65 
same time, provided to verifying means 1024. 

Verifying means 1024, using the information YDa, the 
codes Za and W^, and the function f and constants n 



and t from holding means 1021, checks whether or not 
WVZ^A. /Z5 A) is equal to ID^ (mod n). 

If the verifying means 1024 verifies the equality, it 
supplies an OK signal to cipher-key generating means 
1023. 

In response to this signal, the cipher-key generating 
means 1024, using tb from holding means 1028, gener- 
ates a cipher-key in accordance with: 

K B =Z^B (mod n) 
Here, Ks=a trr B (mod n) 

Key distribution is made possible because K5=a f/T B 
(mod n)=K^. 

The fifth and sixth preferred embodiments of the 
invention are characterized by the presence of the per- 
sonal file 140 on the first subsystem 101 side. In this file 
140 are stored such pieces of information as are fre- 
quently used for communication by the first subsystem 
101. Other constituent elements of these embodiments 
are identical with the corresponding ones of the first 
through fourth embodiments. This personal file 140 
contributes to reducing the amount of calculations in 
the fifth embodiment when generating a key for the 
other party with whom communication frequently 
takes place. In the sixth embodiment, it makes possible 
dispensation with the verifying means for public infor- 
mation on the other party with whom communication 
frequently takes place. 

An example of the subsystems 101 and 102 for use in 
the first through sixth preferred embodiments will be 
described below with reference to FIG. 11. 

Referring to FIG. 11, this system comprises a termi- 
nal unit (TMU) 301, which may be a personal computer 
or the like having a function to process communica- 
tions; a read only memory (ROM) 302; a random access 
memory (RAM) 303; a random number generator 
(RNG) 304; a signal processor (SP) 306; and a common 
bus 305 to ccnnect the TMU 301, ROM 302, RAM 303, 
RNG 304 and SP 306 with one another. 

The RNG 304 may consist of, for instance, the key 
source 25 disclosed in the U.S. Pat. No. 4.200,700. The 
SP 306 may be composed of, for instance, a CY1024 
Key Management Processor available from CYLINK. 

The RNG 304 generates random numbers r upon an 
instruction from the SP 306. In the ROM 502 are stored 
public integers t, a, n and one-way function f together 
with a secret integer S^, (for use with the subsystem 
101) or yB (for use with the subsystem 102). S^, yA and 
75 may as well be stored by the user from his TMU into 
the RAM . upon each occasion of communication. The 
above described actions are realized in accordance with 
a program stored in the ROM. The RAM 303 is used for 
temporarily storing the interim results of calculation or 
the like during the execution of these steps. 

Each of the subsystems 101 and 102 may be a data 
processor of a general-purpose computer or an IC card. 

As hitherto described in detail, the present invention 
provides the benefit of making possible safe unidirec- 
tional key distribution immune from attempts in collu- 
sion at illegitimate alteration of information. . 

While this invention has thus been described in con- 
junction with the preferred embodiments thereof, it will 
now readily be possible for those skilled in the art to put 
this invention into practice in various other manners. 

What is claimed is: 
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1. A cipher-key distribution system for distributing a 
cipher key for use in cipher communication by a first 
communicating party with a second communicating 
party, provided with: 
a common file for storing public information in a 5 
position indicated by receiving party identifying 
information, and first and second subsystems, 
wherein: 
said first subsystem comprises: 

reading means for reading said public information out 10 
of said common file; 

random number generating means for generating 
random numbers; 

first cipher-key generating means for generating a 
cipher key based on a constant, said receiving party 15 
identifying information, a random number gener- 
ated by said random number generating means and 
the public information read out by said reading 
means; 

first secret information holding means for holding a 20 
first secret information of said first communicating 
party using said first subsystem, said first secret 
information not accessible to said second communi- 
cating party; 

key distributing code generating means for generat- 25 
ing a key distributing code based on said constant, 
said random number and the first secret informa- 
tion given from said first secret information hold- 
ing means; and 

transmitting means for transmitting the key distribut- 30 
ing code generated by the key distributing code 
generating means and information for identifying 
the first communicating party, and 

said second subsystem comprises: 

receiving means for receiving the key distributing 35 
code and the information for identifying the first 
communicating party from said transmitting means 
of the first subsystem; 

constant holding means for holding the constant; 

second secret information holding means for holding 40 
the second secret information of said second com- 
municating party using said second subsystem, said 
second secret information accessible only to said 
second communicating party; and 

second cipher-key generating means for generating a 45 
cipher key, which, is identical with the cipher-key 
generated by said first cipher-key generating 
means, based on the key distributing code and in- 
formation for identifying the first communicating 
party from said receiving means, the constant from 50 
said constant holding means and the second secret 
information from said second secret information 
holding means. 

2. A cipher-key distribution system for distributing a 
cipher key for use in cipher communication by a first 55 
communicating party with a. second communicating 
party, provided with: 

common file means for storing public information in a 
position indicated by receiving party identifying 
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information, and first and second subsystems, 
wherein: 
said first subsystem comprises: 
first reading means for reading said public informa- 
tion out of said common file means; 
first secret information holding means for holding a 
first secret information of said first communication 
party using said first subsystem said first secret 
information not accessible to said second communi- 
cating party; 

first cipher-key generating means for generating a 
cipher key based on a constant, receiving party 
identifying information, the public information 
read out by said first reading means and the first 
secret information from said first secret informa- 
tion holding means; and 

transmitting means for transmitting information for 
identifying the first communicating party using this 
subsystem, and 

said second subsystem comprises: 

receiving means for receiving the information for 
identifying the first communicating party given 
from said transmitting means; 

second reading means for reading said public infor- 
mation out of said common file means; 

constant holding means for holding the constant; 

second secret information holding means for holding 
the second secret information of said second com- 
municating party using said second subsystem said 
second secret information accessible only to said 
second communicating party; and 

second cipher-key generating means for generating a 
cipher key, which is identical with the cipher-key 
generated by said first cipher-key generating 
means, based on the constant from said constant 
holding means, the second secret information from 
said second secret information holding means, the 
public information given from said second reading 
means, and said information for identifying the first 
communicating party from said receiving means. 

3. The ci" F I;er-key distribution -system for distributing 
a cipher key for use in cipher communication by a first 
communicating party with a second communicating 
party, as claimed in claim 1, wherein the first subsystem 
further has a personal file for storing part of the public 
information stored in the common file. 

4. The cipher-key distribution system for distributing 
a cipher key for use in cipher communication by a first 
communicating party with a second communicating 
party, as claimed in claims 1, 2 or 3, wherein the first 
subsystem further has verifying means for verifying the 
public information read out of the common file. 

5. The cipher-key distribution system for distributing 

a cipher key for use in cipher communication by a first 

communicating party with a second communicating 

party, as claimed in claims 1 or 3, wherein the second 

subsystem further has verifying means for verifying the 

information received from said first subsystem. 
***** 
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